News

Office 365 Gets Multifactor Authentication at No Cost

Microsoft this week added free multifactor authentication support to its standalone Office 365 plans, as well as to the Midsize Business, Enterprise, Academic and Nonprofit Office 365 plans.

Microsoft's multifactor authentication service is based on technology from PhoneFactor, which it acquired in 2012. It enables confirmation of user identities via automated phone calls and text messages before allowing them access to Office 356 applications. Authentication can also be verified through Microsoft's free notification app, which is available for Windows Phone, Android and iPhone devices.

Currently, secondary authentication support is just available for Web-enabled Office 365 products.

"Today, the second factor of authentication is available for web-based access to Office 365 only," a Microsoft spokesperson clarified via e-mail. "For the Office desktop applications we are planning to add the ability for a second factor of authentication later in 2014."

Office 365 subscribers are just getting a subset of Microsoft's full Windows Azure Multi-Factor Authentication service (see table). The Windows Azure Multi-Factor Authentication service was rolled out in September and is priced at $2 per user per month. In contrast to the Office 365 version, the Windows Azure Multi-Factor Authentication service is full featured, with support for hybrid networks. It supports the generation of security reports and fraud alerts, and includes controls to block or unblock users. It also supports various customizations and includes a software development kit.

  Multi-Factor Authentication for Office 365 Windows Azure Multi-Factor Authentication
Administrators can Enable/Enforce MFA to end-users Yes Yes
Use Mobile app (online and OTP) as second authentication factor Yes Yes
Use Phone call as second authentication factor Yes Yes
Use SMS as second authentication factor Yes Yes
Application passwords for non-browser clients (e.g. Outlook, Lync) Yes Yes
Default Microsoft greetings during authentication phone calls Yes Yes
Custom greetings during authentication phone calls - Yes
Fraud alert - Yes
MFA SDK - Yes
Security Reports - Yes
MFA for on-premises applications/ MFA Server - Yes
One-Time Bypass - Yes
Block/Unblock Users - Yes
Customizable caller ID for authentication phone calls - Yes

Table 1. Multi-Factor Authentication for Office 365 is a subset of Microsoft's more complete Windows Azure Multi-Factor Authentication service, which offers more customization options and support for hybrid network scenarios. (Source: "Multi-Factor Authentication for Office 365" TechNet document)

Administrator Perks
Microsoft also claims this week to have rolled out Multi-Factor Authentication for Azure Administrators. It's also a free service like the Office 365 version, but it's designed for administrators of Office 365 and Windows Azure accounts. Multi-Factor Authentication for Azure Administrators was announced as available on Tuesday, although it apparently was available some time before. Shawn Bishop, a program manager on the Windows Azure Multi-Factor Authentication team, said that "technically, this has been around for a number of months." Like the Office 365 version, Multi-Factor Authentication for Azure Administrators contains just a subset of the features that are available in Microsoft's full-fledged Windows Azure Multifactor Authentication service.

Organizations wanting to use the Windows Azure Multifactor Authentication service for other applications besides Microsoft's cloud-enabled services can run it from a server on their own premises. Microsoft calls the server used for such an approach the "Multi-Factor Authentication Server." Running the Multi-Factor Authentication Server on premises allows the data to stay on the customer's site, but Windows Azure still performs the authentications from Microsoft's servers, according to Bishop. However, using that hybrid approach enables an organization to add authentication support across some of its network solutions. For instance, it can support solutions such as "VPN, AD FS, UAG, TMG, RD Gateway, on-premises OWA/Exchange, Citrix, IIS web applications and Terminal Services," according to Bishop. He added that the server comes with a "User Portal that permits users to perform self-enrollment" and other account management functions.

Work in Progress
Microsoft is continuing to add to its multifactor authentication service. Some parts aren't complete. For instance, there currently isn't second-factor authentication for Office applications for the desktop, including "Outlook, Lync, Word, Excel, PowerPoint, PowerShell, and SkyDrive Pro," according to Microsoft's announcement. Instead, Microsoft suggests using a new "App Passwords" feature in the interim.

"An App Password is a 16-character randomly generated password that can be used with an Office client application as a way of increasing security in lieu of the second authentication factor," Microsoft's announcement explained. However, App Passwords don't work to enable access to PowerShell, Microsoft warned.

Microsoft is promising to enable "native multi-factor authentication" for Office 365 users that doesn't require the App Password approach sometime later this year. For now, Microsoft is requiring the use of the App Password.

"App Password will be required for users who are enrolled in Multi-Factor Authentication for Office 365," the Microsoft spokesperson explained.

Microsoft also plans to add support for "third-party multi-factor authentication solutions" as well as smart cards, although it's not clear when that will happen.

Featured